Banks Sue Security Vendor Trustwave After Target Data Breach

The security vendor Trustwave has been accused of failing to identify security gaps at Target, according to a lawsuit filed by banks for damages suffered from the holiday season data breach.

Plaintiffs Trustmark National Bank and Green Bank N.A. seek class-action status and damages of more than $5 million. Their lawsuit is one of nearly 100 that have been filed by Target customers or banks because of the breach. New York-based Trustmark and Houston-based Green Bank filed their suit March 24 in Chicago's U.S. District Court, naming Trustwave Holdings and Target Corp. as defendants.

The banks acknowledge in their complaint that Chicago-based Trustwave has "performed more Payment Card Industry Data Security Standard certifications than all other companies combined." The PCI standard describes how companies that handle payment card data must protect it against theft.

About 40 million credit and debit card accounts were compromised after hackers made their way into the company's payment data through a security gap attributed to its a heating and air-conditioning supplier.

Trustwave declined to comment on the lawsuit. Target did not respond to inquiries regarding the lawsuit and has not spoken publicly about any of the legal actions in the wake of the breach.

The banks claim Target was likely out of compliance with the PCI standard because the hack went unnoticed for 18 days, according to media reports. In previous data breaches, companies such as Heartland Payment Systems were found to be out of compliance with the PCI standard even though they had passed assessments prior to being hacked.

The complaint cites Trustwave's background and advertising itself as having "deep expertise in PCI compliance," but claims, based on "information and belief," that Trustwave told Target on Sept. 20, 2013 that its computer systems had no vulnerabilities.

Citing a New York Timesreport, the banks say that Target kept card data on its servers for six full days before hackers transmitted it to a separate webserver outside of Target's network.

The complaint alleges the vulnerabilities in the Target system were "either undetected or ignored by Trustwave," allowing hackers access to millions of card account and personal records.

The suit estimates that the banks will spend about $172 million reissuing credit and debit cards. Their total losses, including fraudulent charges, could hit $18 billion, according to the lawsuit.